c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96

General

Target

c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Size

4.2MB
MD5

f0589c1ed7654af37aa19e3cb5447e60
SHA1

7b3419aaef6677a21cdacc51b02d0bb361c61327
SHA256

c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96
SHA512

24fc50eec04b88c59c79a2298b4dd626a420e05d53b2e03831ec7f9cc2ede8d5c1b1929515f970ea8e2c51fc155abb5786e0e2ce452acbeb51ca8aa96c4afe87
SSDEEP

98304:OVtlEGUFz0EHwMbc2f1gTCjtY17RvdkQNPxpnBmgrJ6sMTKFI4Rr+i3+G0PCqKge:sUFzHrbc2fSvD8K

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\InprocServer32\ = "C:\\Program Files (x86)\\GoSSave\\Zg4rTx2w6.x64.dll"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exeregsvr32.exeregsvr32.exe

pid process

1952 c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
1168 regsvr32.exe
2032 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1952	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
1168	regsvr32.exe
2032	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exec40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45CF912D-6FEB-EEC6-C869-A9626192A144}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45CF912D-6FEB-EEC6-C869-A9626192A144}\ = "GoSSave"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45CF912D-6FEB-EEC6-C869-A9626192A144}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45CF912D-6FEB-EEC6-C869-A9626192A144}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{45CF912D-6FEB-EEC6-C869-A9626192A144}	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{45CF912D-6FEB-EEC6-C869-A9626192A144}\ = "GoSSave"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{45CF912D-6FEB-EEC6-C869-A9626192A144}\NoExplorer = "1"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{45CF912D-6FEB-EEC6-C869-A9626192A144}	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe

Drops file in Program Files directory 8 IoCs

Processes:

c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe

description	ioc	process
File created	C:\Program Files (x86)\GoSSave\Zg4rTx2w6.dll	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
File opened for modification	C:\Program Files (x86)\GoSSave\Zg4rTx2w6.dll	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
File created	C:\Program Files (x86)\GoSSave\Zg4rTx2w6.tlb	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
File opened for modification	C:\Program Files (x86)\GoSSave\Zg4rTx2w6.tlb	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
File created	C:\Program Files (x86)\GoSSave\Zg4rTx2w6.dat	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
File opened for modification	C:\Program Files (x86)\GoSSave\Zg4rTx2w6.dat	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
File created	C:\Program Files (x86)\GoSSave\Zg4rTx2w6.x64.dll	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
File opened for modification	C:\Program Files (x86)\GoSSave\Zg4rTx2w6.x64.dll	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exec40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{45CF912D-6FEB-EEC6-C869-A9626192A144}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{45CF912D-6FEB-EEC6-C869-A9626192A144}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{45CF912D-6FEB-EEC6-C869-A9626192A144}	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{45CF912D-6FEB-EEC6-C869-A9626192A144}	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe

Modifies registry class 64 IoCs

Processes:

c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\ProgID	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSavve.GoSavve.2.0\CLSID\ = "{45CF912D-6FEB-EEC6-C869-A9626192A144}"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSavve.GoSavve\CLSID\ = "{45CF912D-6FEB-EEC6-C869-A9626192A144}"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\ProgID	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GoSSave\\Zg4rTx2w6.tlb"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GoSSave"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSavve.GoSavve.2.0\CLSID	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSavve.GoSavve\CurVer\ = "GoSavve.2.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\InprocServer32	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\ProgID\ = "GoSavve.2.0"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\InprocServer32	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\ = "GoSSave"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\VersionIndependentProgID\ = "GoSavve"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSavve.GoSavve\ = "GoSSave"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSavve.GoSavve\CLSID	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSavve.GoSavve\CurVer	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\InprocServer32\ThreadingModel = "Apartment"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSavve.GoSavve.2.0	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\Programmable	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSavve.GoSavve.2.0\ = "GoSSave"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSavve.GoSavve\CLSID\ = "{45CF912D-6FEB-EEC6-C869-A9626192A144}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\InprocServer32\ = "C:\\Program Files (x86)\\GoSSave\\Zg4rTx2w6.x64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSavve.GoSavve.2.0\ = "GoSSave"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144}\ProgID	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exeregsvr32.exe

description	pid	process	target process
PID 1952 wrote to memory of 1168	1952	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe	regsvr32.exe
PID 1952 wrote to memory of 1168	1952	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe	regsvr32.exe
PID 1952 wrote to memory of 1168	1952	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe	regsvr32.exe
PID 1952 wrote to memory of 1168	1952	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe	regsvr32.exe
PID 1952 wrote to memory of 1168	1952	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe	regsvr32.exe
PID 1952 wrote to memory of 1168	1952	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe	regsvr32.exe
PID 1952 wrote to memory of 1168	1952	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe	regsvr32.exe
PID 1168 wrote to memory of 2032	1168	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 2032	1168	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 2032	1168	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 2032	1168	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 2032	1168	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 2032	1168	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 2032	1168	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{45CF912D-6FEB-EEC6-C869-A9626192A144} = "1"	c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe

C:\Users\Admin\AppData\Local\Temp\c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe
"C:\Users\Admin\AppData\Local\Temp\c40167bacb91823527b33edc42b7c238bb4322aac662ee9b57c044aa011acb96.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1952

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSSave\Zg4rTx2w6.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSSave\Zg4rTx2w6.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSSave\Zg4rTx2w6.dat
Filesize
4KB

MD5
4b321e4226c63b33122416c8bf87a5b7

SHA1
cfcfa1d4800d6faf323d46e1afa9bd4153d4c9d2

SHA256
df1052bb6f6c50a483cc5f982727911f4a184cd4ad7d015a6f074f854f3b4734

SHA512
0109aba3652ddebe77b38a83ba1d1a3dd4ff33be0ddcaeb8cff701284eed17833e2bb4bb1b863d4c663d69816d6283231a4be5fdbe356d68dcb9311434b98143

Download Submit
C:\Program Files (x86)\GoSSave\Zg4rTx2w6.tlb
Filesize
3KB

MD5
ab50bfd160f5251c1c06947ba8523db0

SHA1
7940cc61ab4e0bb82afc03dd141eaf8bd963c091

SHA256
a23c9c376478404d8f90d1d984935f7b5e5f2e5674fd8a7642dc89f2b1b2c4a8

SHA512
506baa3f8ca880eeb4d26e9744babef326d2b5b1fb0971c712072c4aeeaaaff702847c045fe0270d45cc71a0b7fb53ba0af60aeaa34f5154f9617c85a06c3334

Download Submit
C:\Program Files (x86)\GoSSave\Zg4rTx2w6.x64.dll
Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
\Program Files (x86)\GoSSave\Zg4rTx2w6.dll
Filesize
613KB

MD5
0df7c26b4abf65cd6ca180c2ddc7ae4b

SHA1
d43e0770e0a5778525a4828f46e1e4448cdc9aa8

SHA256
f133fed29f50b1cdc8af2043608b14f8f20ab5349a2cfe16536d089966eb120b

SHA512
29ca79a58784de2855975849a94f0f3e55b3a13ece1cf9ff25db98d397c1758d88df8ac4887dfb48b28a89564e60a3a0195140d154ce0d0b81569fd0931fc474

Download Submit
\Program Files (x86)\GoSSave\Zg4rTx2w6.x64.dll
Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
\Program Files (x86)\GoSSave\Zg4rTx2w6.x64.dll
Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
memory/1168-61-0x0000000000000000-mapping.dmp

Download
memory/1952-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1952-55-0x0000000000760000-0x0000000000803000-memory.dmp

Filesize
652KB

Download
memory/2032-65-0x0000000000000000-mapping.dmp

Download
memory/2032-66-0x000007FEFC101000-0x000007FEFC103000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads